feat(ws): Define k8s workload manifest for backend component + istio - #324

Liav Weiss (EXT-Nokia) · Liav Weiss (EXT-Nokia) · commit 69a6f97f4f66 · 2025-08-04T14:53:13.000+03:00
Signed-off-by: Liav Weiss (EXT-Nokia) &lt;liav.weiss.ext@nokia.com&gt;
diff --git a/workspaces/backend/Makefile b/workspaces/backend/Makefile
@@ -155,12 +155,12 @@ $(GOLANGCI_LINT): $(LOCALBIN)
 
 .PHONY: deploy
 deploy: kustomize ## Deploy backend to the K8s cluster specified in ~/.kube/config.
-	cd manifests/kustomize/base && $(KUSTOMIZE) edit set image nb-backend=${IMG}
-	$(KUSTOMIZE) build manifests/kustomize/base | $(KUBECTL) apply -f -
+	cd manifests/kustomize/overlays/istio && $(KUSTOMIZE) edit set image workspaces-backend=${IMG}
+	$(KUBECTL) apply -k manifests/kustomize/overlays/istio
 
 .PHONY: undeploy
 undeploy: kustomize ## Undeploy backend from the K8s cluster specified in ~/.kube/config.
-	$(KUSTOMIZE) build manifests/kustomize/base | $(KUBECTL) delete --ignore-not-found=true -f -
+	$(KUBECTL) delete -k manifests/kustomize/overlays/istio --ignore-not-found=true
 
 
 ##@ Dependencies
diff --git a/workspaces/backend/manifests/kustomize/base/deployment.yaml b/workspaces/backend/manifests/kustomize/base/deployment.yaml
@@ -1,7 +1,7 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: backend
+  name: workspaces-backend
 spec:
   replicas: 1
   selector:
@@ -15,21 +15,21 @@ spec:
     metadata:
       labels: {}
     spec:
-      serviceAccountName: backend
+      serviceAccountName: workspaces-backend
       securityContext:
         runAsNonRoot: true
       terminationGracePeriodSeconds: 30
       containers:
-      - name: nb-backend
-        image: nb-backend
+      - name: workspaces-backend
+        image: workspaces-backend
         imagePullPolicy: IfNotPresent
         securityContext:
           allowPrivilegeEscalation: false
           capabilities:
             drop:
             - "ALL"
         ports:
-        - name: http-backend
+        - name: http-api
           containerPort: 4000
         env:
         - name: PORT
@@ -44,7 +44,7 @@ spec:
         livenessProbe:
           httpGet:
             path: /api/v1/healthcheck
-            port: http-backend
+            port: http-api
             scheme: HTTP
           initialDelaySeconds: 30
           periodSeconds: 20
@@ -54,10 +54,10 @@ spec:
         readinessProbe:
           httpGet:
             path: /api/v1/healthcheck
-            port: http-backend
+            port: http-api
             scheme: HTTP
           initialDelaySeconds: 10
           periodSeconds: 10
           timeoutSeconds: 5
           failureThreshold: 3
-          successThreshold: 1
+          successThreshold: 1
diff --git a/workspaces/backend/manifests/kustomize/base/kustomization.yaml b/workspaces/backend/manifests/kustomize/base/kustomization.yaml
@@ -1,21 +1,11 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
-namespace: kubeflow-system
-namePrefix: nb-
+namespace: kubeflow-workspaces
 
 resources:
-  - service_account.yaml
-  - rbac.yaml
-  - service.yaml
-  - deployment.yaml
-
-images:
-  - name: nb-backend
-
-labels:
-- includeSelectors: true
-  pairs:
-    app.kubernetes.io/name: kubeflow-notebooks
-    app.kubernetes.io/component: backend
-    app.kubernetes.io/managed-by: kustomize
+- namespace.yaml
+- service_account.yaml
+- rbac.yaml
+- service.yaml
+- deployment.yaml
diff --git a/workspaces/backend/manifests/kustomize/base/namespace.yaml b/workspaces/backend/manifests/kustomize/base/namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kubeflow-workspaces
diff --git a/workspaces/backend/manifests/kustomize/base/rbac.yaml b/workspaces/backend/manifests/kustomize/base/rbac.yaml
@@ -1,7 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: backend-clusterrole
+  name: workspaces-backend
 rules:
 - apiGroups:
   - kubeflow.org
@@ -16,16 +16,24 @@ rules:
   - update
   - patch
   - delete
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+  - list
+  - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: backend-clusterrolebinding
+  name: workspaces-backend
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: backend-clusterrole
+  name: workspaces-backend
 subjects:
 - kind: ServiceAccount
-  name: nb-backend
-  namespace: kubeflow-system
+  name: workspaces-backend
+  namespace: kubeflow-workspaces
diff --git a/workspaces/backend/manifests/kustomize/base/service.yaml b/workspaces/backend/manifests/kustomize/base/service.yaml
@@ -1,11 +1,11 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: backend
+  name: workspaces-backend
 spec:
   selector: {}
   ports:
-  - name: http-backend
+  - name: http-api
     port: 4000
-    targetPort: http-backend
-  type: ClusterIP
+    targetPort: http-api
+  type: ClusterIP
diff --git a/workspaces/backend/manifests/kustomize/base/service_account.yaml b/workspaces/backend/manifests/kustomize/base/service_account.yaml
@@ -1,4 +1,4 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: backend
+  name: workspaces-backend
diff --git a/workspaces/backend/manifests/kustomize/components/common/kustomization.yaml b/workspaces/backend/manifests/kustomize/components/common/kustomization.yaml
@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+labels:
+- includeSelectors: true
+  pairs:
+    app.kubernetes.io/component: workspaces-backend
+    app.kubernetes.io/managed-by: kustomize
+    app.kubernetes.io/name: kubeflow-workspaces
+    app.kubernetes.io/part-of: kubeflow
diff --git a/workspaces/backend/manifests/kustomize/components/istio/authorization-policy.yaml b/workspaces/backend/manifests/kustomize/components/istio/authorization-policy.yaml
@@ -0,0 +1,10 @@
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: workspaces-backend
+spec:
+  action: ALLOW
+  selector:
+    matchLabels: {}
+  rules:
+  - {}
diff --git a/workspaces/backend/manifests/kustomize/components/istio/destination-rule.yaml b/workspaces/backend/manifests/kustomize/components/istio/destination-rule.yaml
@@ -0,0 +1,9 @@
+apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+  name: workspaces-backend
+spec:
+  host: workspaces-backend.kubeflow-workspaces.svc.cluster.local
+  trafficPolicy:
+    tls:
+      mode: DISABLE
diff --git a/workspaces/backend/manifests/kustomize/components/istio/kustomization.yaml b/workspaces/backend/manifests/kustomize/components/istio/kustomization.yaml
@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+resources:
+- destination-rule.yaml
+- virtual-service.yaml
+- authorization-policy.yaml
diff --git a/workspaces/backend/manifests/kustomize/components/istio/virtual-service.yaml b/workspaces/backend/manifests/kustomize/components/istio/virtual-service.yaml
@@ -0,0 +1,20 @@
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: workspaces-backend
+spec:
+  gateways:
+  - kubeflow/kubeflow-gateway
+  hosts:
+  - '*'
+  http:
+  - match:
+    - uri:
+        prefix: /workspaces/api/
+    rewrite:
+      uri: /api/
+    route:
+    - destination:
+        host: workspaces-backend.kubeflow-workspaces.svc.cluster.local
+        port:
+          number: 4000
diff --git a/workspaces/backend/manifests/kustomize/options/istio/destination-rule.yaml b/workspaces/backend/manifests/kustomize/options/istio/destination-rule.yaml
diff --git a/workspaces/backend/manifests/kustomize/options/istio/istio-authorization-policy.yaml b/workspaces/backend/manifests/kustomize/options/istio/istio-authorization-policy.yaml
diff --git a/workspaces/backend/manifests/kustomize/options/istio/kustomization.yaml b/workspaces/backend/manifests/kustomize/options/istio/kustomization.yaml
diff --git a/workspaces/backend/manifests/kustomize/options/istio/virtual-service.yaml b/workspaces/backend/manifests/kustomize/options/istio/virtual-service.yaml
diff --git a/workspaces/backend/manifests/kustomize/overlays/istio/kustomization.yaml b/workspaces/backend/manifests/kustomize/overlays/istio/kustomization.yaml
